42 CFR Part 2 training is required for substance use disorder treatment programs before any workforce member accesses patient records, when a program begins providing or advertising substance use disorder services, when staff receive protected information as lawful holders, and when licensing, certification, or federal funding conditions require documented training completion. Who needs Part 2 training extends beyond clinical staff to include all workforce members whose roles involve any contact with substance use disorder patient information. Training is a precondition for compliance, not a consequence of it. Workforce members cannot apply restrictions on consent, disclosure, and redisclosure correctly without first understanding how 42 CFR Part 2 operates and how it differs from HIPAA.
What 42 CFR Part 2 Is and Which Organizations It Covers
42 CFR Part 2 is the federal regulation governing the confidentiality of substance use disorder patient records. It was established under the authority of 42 U.S.C. 290dd-2 and applies to any program that is federally assisted and holds itself out as providing, or provides, substance use disorder diagnosis, treatment, or referral for treatment. Federal assistance includes receipt of federal funding, federal tax-exempt status, or authorization to prescribe controlled substances under federal law. The regulation applies to the program as a whole, including every unit within a larger organization that provides substance use disorder services.
Who must comply with 42 CFR Part 2 includes the program itself, all workforce members of that program, lawful holders of information disclosed by the program, and third-party contractors or service providers who receive protected information in connection with program functions. Compliance obligations attach to the information, not only to the program that originally created it. Once substance use disorder patient information is disclosed, the receiving party becomes subject to the same confidentiality requirements.
42 CFR Part 2 imposes confidentiality protections that are stricter than and operate separately from the HIPAA Privacy Rule. Both regulations may apply simultaneously to organizations that qualify as HIPAA Covered Entities and federally assisted substance use disorder programs. When both apply, the more restrictive standard governs. HIPAA and Part 2 together require workforce members to understand two distinct regulatory frameworks and apply the correct standard to each disclosure scenario they encounter.
How 42 CFR Part 2 Differs from HIPAA on Consent and Disclosure
The HIPAA Privacy Rule permits Covered Entities to use and disclose protected health information for treatment, payment, and healthcare operations without patient authorization. 42 CFR Part 2 does not extend that permission to substance use disorder patient records. Under 42 CFR Part 2.13, most disclosures require written patient consent regardless of whether the purpose is treatment, payment, or care coordination.
That written consent must include specific elements: the name of the program making the disclosure, the name or title of the individual or organization receiving the information, the patient’s name, the purpose of the disclosure, how much and what kind of information will be disclosed, a statement that the patient may revoke consent at any time, and an expiration date or event after which the consent is no longer valid. A general HIPAA authorization does not satisfy the 42 CFR Part 2 consent requirement.
The 2024 amendments to 42 CFR Part 2, which took effect February 16, 2024, aligned several provisions more closely with HIPAA, including allowing disclosures for payment and healthcare operations with a single patient consent that covers future uses. Those amendments did not eliminate the written consent requirement for most disclosure scenarios, and they did not remove the prohibition on using substance use disorder records in criminal proceedings without a court order. Why Part 2 training matters remains grounded in the fact that its consent standard exceeds what HIPAA requires, and workforce members who apply HIPAA rules to Part 2 disclosures will produce compliance violations.
Training Before Access to Patient Records
42 CFR Part 2 training must be completed before a workforce member is granted access to substance use disorder patient records or systems containing protected information. This applies to employees, contractors, volunteers, students on placement, and temporary staff whose roles involve any interaction with patient data. New employee training requirements under Part 2 follow the same logic as HIPAA: access to protected information without prior training creates direct regulatory exposure for the program.
Training at the point of onboarding establishes the workforce member’s understanding of what constitutes protected information, which disclosures require written consent, and how to handle a request for records in a way that does not violate the regulation. A workforce member who encounters a records request, a law enforcement inquiry, or a care coordination scenario without prior training on Part 2 requirements has no regulatory basis for making the correct decision. When training must be provided is before access, not after exposure.
Training When Programs Begin or Expand Substance Use Disorder Services
When a healthcare organization begins offering substance use disorder services, or expands an existing scope of practice to include diagnosis, treatment, or referral, 42 CFR Part 2 training is required for all workforce members assigned to those functions. The regulation applies from the point the program holds itself out as providing these services, not from the point a patient is enrolled.
This requirement also applies when a distinct unit within a larger organization begins providing substance use disorder services. Staff assigned to that unit must receive Part 2 training even if the broader organization already trains on HIPAA. The confidentiality obligations under Part 2 are specific to the substance use disorder context and are not addressed by standard HIPAA training. Failure to train before services begin places the program in violation before the first patient interaction.
Training for Lawful Holders of Substance Use Disorder Information
Training is required when workforce members receive substance use disorder patient information from another program and become lawful holders of that information. This occurs in coordinated care arrangements, referrals, and information exchanges where patient data is transferred under a valid consent or a permitted exception. Once the information is received, the receiving organization becomes subject to the same confidentiality requirements that applied to the originating program.
Lawful holders may not redisclose substance use disorder patient information without a new patient consent that meets the 42 CFR Part 2.13 requirements, or without a specific permitted exception such as a medical emergency, a qualified service organization agreement, or a court order. The original consent that authorized the transfer to the lawful holder does not authorize further redisclosure. Workforce members at receiving organizations must understand this restriction before they handle the information, because an unauthorized redisclosure by a lawful holder carries the same regulatory consequences as one by the originating program. How training supports compliance in this context is direct: a workforce member who knows the redisclosure prohibition will not route substance use disorder records through standard HIPAA disclosure channels.
Training Required for Licensing, Certification, and Federal Funding
Many state licensing and certification frameworks for substance use disorder treatment programs require documented training completion as a condition of licensure or renewal. Facilities must demonstrate that workforce members have received instruction on both HIPAA and 42 CFR Part 2 confidentiality obligations. The specific documentation requirements vary by jurisdiction, but the training obligation itself is federal and applies regardless of state requirements.
Participation in Medicaid programs, block grant funding, and other federally supported arrangements may impose training conditions as part of program participation agreements. Organizations that cannot produce training records for workforce members who handle substance use disorder patient information face audit findings, corrective action obligations, and potential funding consequences independent of any patient complaint or disclosure incident. Choosing Part 2 training that produces retrievable completion records for each workforce member supports both the regulatory and contractual documentation obligations organizations face in these arrangements.
Retraining Following Policy Changes and Compliance Events
Training must be repeated when changes to internal policies, regulatory amendments, or identified compliance risks affect how workforce members handle substance use disorder patient information. The 2024 amendments to 42 CFR Part 2 created a specific retraining obligation for programs that adopted the revised consent framework, because the permitted uses and required consent elements changed. Programs that updated their consent forms and disclosure procedures without retraining their workforce created a gap between written policy and workforce practice.
Compliance events including unauthorized disclosures, audit findings, and patient complaints also trigger a retraining obligation. Targeted training following these events addresses the specific knowledge gap that produced the violation and supports the corrective action plan the program submits to its oversight body. A recommended training curriculum for Part 2 should be reviewed annually and updated to reflect any regulatory changes, enforcement guidance, or operational changes that occurred during the prior year.
The Relationship Between 42 CFR Part 2 Training and HIPAA Training
Organizations subject to both 42 CFR Part 2 and HIPAA cannot satisfy their training obligations by delivering HIPAA training alone. The two frameworks address different aspects of patient information protection, and the gaps between them are precisely where compliance failures occur most often. A workforce member trained only on HIPAA will understand that treatment, payment, and healthcare operations disclosures are permitted without patient authorization. That same workforce member will not understand that those same disclosures require written patient consent under Part 2, and will apply the wrong standard when handling substance use disorder records.
The training program must address both regulatory frameworks together, explain where they overlap, identify where Part 2 is stricter, and give workforce members clear guidance on which standard applies in common operational scenarios including records requests, care coordination, billing inquiries, and law enforcement contact. The HIPAA Journal’s training for substance use disorder treatment programs integrates both frameworks into a single course that gives workforce members the regulatory foundation they need before they access patient records or perform functions involving protected substance use disorder information.
